This copy is for your personal non-commercial use only. To order presentation-ready copies of Toronto Star content for distribution to colleagues, clients or customers, or inquire about permissions/licensing, please go to: www.TorontoStarReprints.com

Canadian hacker dupes Walmart to win Def Con prize

Shane MacDougall, a security consultant, won the "social engineering" contest at the Def Con hackers conference in Las Vegas after getting a Walmart employee to divulge sensitive information over the phone. (PHOTO COURTESY OF DAN TENTLER / PHOTO COURTESY OF DAN TENTLER)

Shane MacDougall, a hacker/security consultant, duped a Walmart employee into giving him information that could be used in a hacker attack to win a coveted 'black badge' at a Las Vegas hacker convention. (Supplied Photo / Supplied Photo)

By Jessica McDiarmidStaff Reporter

Wed., Aug. 8, 2012

It was an elaborate yarn, weeks in the making.

“Gary Darnell” from Walmart’s home office in Bentonville, Ark., called a store in Western Canada. He lamented having to work the weekend.

He explained that NATO was shopping around for a private retailer who could serve as part of its supply chain in the event of a pandemic.

“Or at least that’s what they say it’s about,” Darnell cracked with the store manager. “Who knows, maybe they’re practising for an alien invasion — don’t know, don’t care — all I know is that the company can make a ton of cash off it.”

Darnell told the manager he’d be coming up to Canada to help plan the exercise, which would see NATO types coming in to survey products and later, to buy them in a hurry, as they would in an emergency.

From his glass booth in front of chuckling onlookers, MacDougall managed to get 75 pieces of information in the 20-minute phone call, winning the contest and receiving a coveted black badge for his efforts. In the three years of the contest, no one has ever succeeded in getting each assigned data point before.

MacDougall found out all about the store’s security, its cafeteria, who cleans it after-hours and who disposes of its garbage. He learned when employees are paid, who provides IT support, what computers, operating systems and anti-virus programs are used.

In short, he got all sorts of information that could be used in a hacker attack. How? A bit of research and an ability to spin a few lies over the phone.

As security systems get increasingly difficult to crack, hackers are turning toward a new source of information: people.

“Companies are way more aware about their security. They’ve got firewalls, intrusion detection, log-in systems going into place, so it’s a lot harder for a hacker to break in these days, or to at least break in undetected,” MacDougall said. “So a bunch of hackers now are going to the weakest link, and the link that companies just aren’t protecting, which is the people.”

Referred to as “social engineering,” MacDougall said it’s extremely common and “devastatingly effective.”

“It works for me every single time, and it shouldn’t.”

Others targeted in the contest, with varying success, include major companies such as Shell, Exxon-Mobil, FedEx and UPS. Competitors don’t try to collect information that would be of “serious immediate threat,” such as passwords or customer data. The point isn’t to jeopardize or embarrass anyone, but rather to show how easy it is to get sensitive information.

Walmart’s corporate communications did not respond to a request for comment.

Chris Hadnagy, who organizes the Def Con contest, said social engineering is a “hardly discussed, trained or defended against” threat.

“Social engineering is the easiest and most widely used way to infiltrate companies,” Hadnagy said.

“People think they can’t or won’t fall for it, companies feel their security awareness covers it. So a competition like this shows how easy it is to get someone to tell you anything, to get information that could lead to a breach.”

How to avoid falling victim to a ‘social engineer’

• Never be afraid to say no. If something feels wrong, something is wrong.

• An IT department should never be calling asking about operating systems, machines, passwords or email systems — they already know. If someone’s asking, that should raise flags.

• If it seems suspicious, get a callback number. Hang up and take some time vetting the caller to see if they are who they say they are.

• Set up an internal company security word of the day and don’t give any information to anyone who doesn’t know it.

• Keep tabs on what’s on the web. Companies inadvertently release tons of information online, including through employees’ social media sites. “Deep-dive” to see what information is out there.

More from the Toronto Star & Partners

LOADING

Copyright owned or licensed by Toronto Star Newspapers Limited. All rights reserved. Republication or distribution of this content is expressly prohibited without the prior written consent of Toronto Star Newspapers Limited and/or its licensors. To order copies of Toronto Star articles, please go to: www.TorontoStarReprints.com